# User authenticators

List of authenticators for a user. Required permissions: organizations:read, orgs:read, users:read, apps:read, [appId]:read, authenticators:read.

Endpoint: GET /v1/users/{userId}/authenticators
Security: ClientAccessToken

## Path parameters:

  - `userId` (string, required)
    ID of the user

## Response 200 fields (application/json):

  - `result` (array, required)
    List of user authenticators

  - `result.id` (string, required)
    The ID of the authenticator, autogenerated upon registration

  - `result.type` (string, required)
    The type of the authenticator
    Enum: "totp", "email_magic_link", "email_otp", "sms_otp", "direct_otp", "webauthn", "password", "mobile_biometric", "pin_authenticator", "google", "facebook", "apple", "line", "saml", "oidc", "face"

  - `result.name` (string)
    The name of the authenticator

  - `result.status` (string, required)
    The status of the authenticator. An authenticator is registered if it hasn't yet been used to authenticate, and active if it's been used at least once. Admins can update the status to deactivated to manually block it (either temporarily or permanently) and an authenticator can become locked by the lockout rules defined in its settings.
    Enum: "Active", "Deactivated", "Registered", "Locked", "Deleted"

  - `result.user_id` (string)
    The ID of the user this authenticator is associated with

  - `result.registered_at` (string, required)
    The date the authenticator was registered. For social login methods, this corresponds to the date it was first used to authenticate. For email/SMS-based ones, it corresponds to the date the email/phone number was added to the user profile.

  - `result.last_successful_authentication` (string)
    Date this authenticator was last used to successfully authenticate.

  - `result.last_failed_authentication` (string)
    The last failed authentication date. For social login and email/SMS-based methods, this may corresponds to an authentications performed for another app in the tenant.

  - `result.app_id` (string)

  - `result.last_accessed_org_id` (string)
    ID of the last organization the authenticator was used to authenticate for

  - `result.lockout` (object)
    Lockout (applicable only when the authenticator’s status is locked)

  - `result.lockout.suspended_until` (string)
    Lockout remaining time

  - `result.lockout.suspended_at` (string)

  - `result.lockout.remaining_attempts` (number)
    Remaining attempts

  - `result.lockout.current_tier` (number)
    Tier number

  - `result.lockout.auto` (boolean)
    Whether the lockout was triggered automatically and suspension is still active

  - `result.extra_data` (any)
    Additional data for the authenticator

  - `result.last_accessed_app_id` (string)
    ID of the last application the authenticator was used to authenticate for